CN101473335B - Information processing terminal, safety equipment, method used in the information processing terminal - Google Patents

Abstract

An information processing terminal, a status notifying system and a status notifying method wherein when a status of an information processing terminal is notified to a server, both the privacy and the security can be maintained at the same time. An information processing terminal (10) comprises a publication determining part (1001) that determines the other end of possible notifying communication for each of entries; a log concealing part (1002) that conceals the entries; a multiple log determining part (1003) that instructs hash updating for a plurality of other ends of notifying communication; a log constituting part (1004) that constitutes a log for the other end of notifying communication and causes a signature to be written; a verification requesting part (1005) that requests a verification; a policy storing means (1006) that stores a policy used in determining the other end of possible notifying communication; and a log storing means (1007) that stores the entries. The information processing terminal (10) instructs an accumulation of entries, in which processings, such as suitable concealment processing, have been done for each of the other ends of notifying communication, using hashes.

Description

The information processing terminal, safety equipment, the method for in the information processing terminal, using

Technical field

The present invention relates to a kind of technology that is used for announcement server about the state of the information processing terminal, this server provides various services through network, and this information processing terminal (for example personal computer) receives service.

Background technology

It is expensive and diversified that the service that provides through network becomes recently, like the exchange and the Web bank of the providing of the copyright work of for example music and video, secret legal person's information.In order to realize (address) diversified service like this, many client softwares are installed in the information processing terminal of for example personal computer, portable terminal, mobile phone and digital home appliance.These softwares have been provided the function and the function that receives service of protection cost (expensive) information.

When utilizing such value that service obtained to increase, come from and avoid limiting the damage that is caused and become more serious, this restriction is by the software utilization method that the software in the information processing terminal carries out undelegated modification to be forced.The necessity that exists increasing checking whether the client software in the information processing terminal to be carried out undelegated modification, this information processing terminal will be provided service and comprise the execution environment of the operating environment of client software operation.

In order to realize this necessity, TCG (trust and calculate alliance-Trusted Computing Group) etc. has proposed the technology of accurate report about the information of software in the information processing terminal, carried out.The technology that is proposed by TCG for example is disclosed in the patent documentation 1.

Figure 14 shows the system of the software that authentication server wherein 1410 carries out according to the technical identification that is proposed by TCG etc. in the information processing terminal 1400.The information processing terminal 1400 is equipped with the tamper-resist module that is called TPM (trusting console module-Trusted Platform Module) 1401.This module protection is the private key and the hashed value (hash value) of important information aspect security, and carries out processing important aspect security safely.

The hash (hash) of the code of the software of the BIOS that the information processing terminal 1400 calculated example begin to carry out like the startup from CPU 1402, loading procedure (Loader) or kernel program (Kernel), and the hash that makes TPM 1401 storage warp calculating.TPM 1401 can submit the hash through digital signature to being positioned at the authentication server 1410 that the outside is used for the state of authorization information processing terminal.Therefore, authentication server 1410 compares this hash and correct hash, thereby the checking information processing terminal is in the state of having carried out correct code.

Target is to adopt the hash that becomes more general, and comprises the data (after this be called clauses and subclauses (entry)) of expression about the information of the incident of the loading of the startup of for example software or driver.Under the situation of this form, can the hash of the code of program name and program be put into clauses and subclauses, and make the content of separately the interconnected information of clauses and subclauses (be called " event log " hereinafter or simplify and do " daily record ") become the object of assurance.

Particularly; When carrying out the code of the software of BIOS, loading procedure, kernel program, application (App) A, Application of B for example; The hash (hash computations 1421) that the CPU 1402 of the information processing terminal 1400 calculates separately; And the hash 1422 that will calculate like this is sent to TPM 1401, and clauses and subclauses 1424 are added and stored in the event log 1403.During the hash 1422 of sending when providing; The value that TPM 1401 will store couples together with the value that receives like this; Thereby carry out hash computations so that produce a hash, and the hash that will so produce is stored in (accumulation algorithm process 1423) among the PCR (platform constitutes register-Platform Configuration Register) 1404.

Even when the data that become the object of distorting detection increase subsequently, a data hash capable of using that comprises its sequence is guaranteed.Because state obtains accumulation, so this hash will be called the accumulation hash hereinafter.The processing that is used to calculate hash and accumulate the hash of so calculating also will be called mensuration (measurement).

When authentication server 1410 checking operates in the software on the information processing terminal 1400, at first will compete 1425 and be sent to the information processing terminal 1400 from authentication server 1410.The competition 1425 that TPM 1401 will receive couples together with the accumulation hash that is stored among the PCR 1404; Consequent hash is carried out digital signature (digital signature handles 1426); Further certificate and event log 1403 are coupled together, and the result is sent to authentication server 1410 as authorization information 1427.

Authentication server 1410 is the signature of authentication certificate at first; Certifying digital signature; The clauses and subclauses of received event log 1403 and the clauses and subclauses of registration in verification msg DB 1411 are checked, and the calculating cumulative hash is checked result of calculation and the accumulation hash that is included in the received authorization information 1427 once more; And will compete 1425 and check, thereby checking operates in the software on the information processing terminal 1400 with the competition that is included in the received authorization information 1427.

As stated, the accumulation hash of the notice of event log capable of using and warp signature is carried out more detailed checking.Its reason is that the accumulation hash also makes it possible to event log is verified.

In fact, software is that combination through several hierarchical level constitutes.There is several softwares mutually the same but situation about on higher level, differing from one another on, thereby has multiple combination than low level.Therefore, if an accumulation hash is applied in all states, will in checking, suffer from difficulty.For this reason, TPM can keep a plurality of accumulation hash, and is available from 16 registers of PCR 0 to PCR 15.When sending hash to TPM, CPU 1402 specifies the accumulation hash that will use numeral (after this, being called " accumulation hash number ") to upgrade.

Patent documentation 1:JP-T-2002-536757

Summary of the invention

The problem that the present invention will solve

Though utilize and can carry out more detailed checking to authentication server 1410 notification event daily records, authentication server 1410 can find out that (ascertain) user uses what software and network service, this can cause revealing the concern of privacy information.Therefore, must consider the balance of checking and safety.

From the viewpoint of privacy information protection,, can delete or some information that will be notified of hiding suit according to the server of target as the notice executing state.Yet, in known configurations, when after upgrading the accumulation hash, event log being made amendment, thinking that this event log is distorted, therefore can not delete or hiding modification the content of event log.

The present invention solves known technical matters and is intended to provide with a kind of like this form and can notify himself information processing terminal of state: make and in the protection privacy information, detect distorting event log.

The means of dealing with problems

The information processing terminal of the present invention is the information processing terminal of notice that the accumulation of clauses and subclauses is provided to a plurality of notified parties; These clauses and subclauses are represented the data that show state changes; This information processing terminal comprises: the accumulation storage area; It preserves the accumulation of clauses and subclauses, its be used to a plurality of notified parties each detect distorting to the daily record of clauses and subclauses; Part is measured in many daily records, and the accumulation with a plurality of corresponding a plurality of clauses and subclauses of notified party is separately upgraded in order based on clauses and subclauses, and the accumulation of said a plurality of clauses and subclauses is stored in the said accumulation storage area; And the checking requested part, it is sent to notified party with data, and these data comprise the data that produce corresponding to accumulation this notified party, that be kept at the clauses and subclauses in the accumulation storage area through digital signature is invested.

Therefore, the accumulation of executing state is so that make it possible to be each notified party's tamper detection, and can the result notification of accumulation be given each side of notice.Particularly, can prevent to cheat that to use that A pretends be side operation, this side provides service under the condition that application A moves; Perhaps prevent to cheat Application of B and pretend the operation into the opposing party, this opposing party provides service under the condition of Application of B operation.

The information processing terminal of the present invention still provides the information processing terminal of notice of the accumulation of clauses and subclauses to a plurality of notified parties; These clauses and subclauses are represented the data that show state changes; This information processing terminal comprises: open/non-public definite part, it determines whether to allow to each notified party's notice clauses and subclauses; The daily record hidden parts, it produces the clauses and subclauses of hiding; The log store part is used for store items; The accumulation storage area, its preservation is used to each notified party and detects the accumulation to the clauses and subclauses of distorting of daily record; Part is measured in many daily records; It is ordered based on the result who confirms who is done by open/non-public definite part upgrading corresponding to the accumulation of clauses and subclauses notified party, that preserved by accumulation storage part branch; For this notified party, do not allow the notice of clauses and subclauses based on the clauses and subclauses of hiding, and order is to upgrading corresponding to the accumulation of clauses and subclauses notified party, that preserved by accumulation storage part branch; For this notified party, allow the notice of clauses and subclauses based on non-hiding clauses and subclauses; The daily record component part; It is based on the result who confirms who is done by open/non-public definite part; In the clauses and subclauses in being stored in the log store part, produce the daily record that is sent to notified party in such a way: can not become hiding clauses and subclauses to the clauses and subclauses of notified party's notice; And can become non-hiding clauses and subclauses to the clauses and subclauses of notified party's notice; And the checking requested part, it sends with the data corresponding to the digital signature of the accumulation of clauses and subclauses notified party, that preserved by the accumulation storage area to notified party and mentions the data that comprise the daily record that is produced by the daily record component part.

Therefore, protect privacy information through changing for the content of the transmission daily record of each notified party, but and accumulation state so that tamper detection.Particularly; Can a kind of detectable mode to server notification distorting to event log; This event log is promptly no matter Application of B is to use the fact that A moving and the event log that activates application A like it; And the event log that does not comprise the evidence of the application C (spyware etc.) that activation in fact moving, and through change for each notified party each clauses and subclauses hide or non-hiding, can protect privacy information.

The information processing terminal of the present invention is characterised in that, the accumulation of the clauses and subclauses of being preserved by accumulation storage part branch is the accumulation hash of these clauses and subclauses.

Therefore, the accumulation hash from the daily record that is received can be calculated by notified party, and accumulation hash of being calculated and the clauses and subclauses that received are checked, thereby verifies that this daily record is not distorted.In addition, can reduce the size of the desired internal memory of accumulation storage area in the information processing terminal.

Safety equipment of the present invention comprise the accumulation storage area, and it preserves the accumulation of clauses and subclauses, and these clauses and subclauses represent to be used for the data that the state of display message processing terminal changes; The accumulation calculating section, it upgrades the accumulation that is kept at the clauses and subclauses in the accumulation storage area; The signature process part, digital signature is carried out in its accumulation to clauses and subclauses; Verification portion, the data that its checking receives from the information processing terminal; And service server, service is provided when the checking of being carried out by verification portion to data is successful.

Therefore, through for each notified party changes the content protecting privacy information that sends daily record, and notice is provided, so that can tamper detection to a side of for example server.Thereby this provides service to authorized users after can and finding out the daily record of being notified in checking.In addition, important personal information storage is in safety equipment, and the application that the service server of successful execution checking allows only to be verified obtains and the operation personal information, so can use personal information safely.

Safety equipment of the present invention comprise that also execution environment provides part, and it provides execution environment; And the execution environment storage area, it stores execution environment.

Therefore, the access control that is used for only allowing coming from the visit of the execution environment that is provided by safety equipment becomes possibility.Particularly, be provided for the software of execution environment to the information processing terminal from safety equipment.Thereby, know that in order on the information processing terminal, to realize execution environment, safety equipment which software will be activated.The daily record that verification receives from the information processing terminal, thus make about visit whether coming from confirming of the execution environment that provides by safety equipment.Only allow to come from the visit of the execution environment that provides by safety equipment, thereby make security strengthened.

In safety equipment of the present invention, verification portion receives the accumulation of the clauses and subclauses of being preserved by the accumulation storage area through the internal interface of safety equipment.

In this case, because verification portion receives the accumulation of clauses and subclauses through the internal interface of safety equipment.Therefore, even when the accumulation of the clauses and subclauses of not having digital signature is provided, the content of the accumulation of clauses and subclauses also is reliable.Because the accumulation of clauses and subclauses does not require digital signature, therefore correspondingly can carry out checking at a high speed and handle.

The information processing terminal of the present invention also comprises verification portion, the data that its checking receives from the checking requested part; And service server, service is provided when the checking of being carried out by verification portion to data is successful.

Therefore, for example, important personal information storage is in service server, and the application that the service server of successful execution checking only allows to be verified obtains and the operation personal information, thereby personal information can be used safely through the information processing terminal.

In the information processing terminal of the present invention, verification portion receives the accumulation of the clauses and subclauses of being preserved by the accumulation storage area through internal interface, and does not relate to the checking requested part.

In this case, verification portion receives the accumulation of clauses and subclauses through internal interface, thereby even and when the accumulation of the clauses and subclauses of not having digital signature is provided, the content of the accumulation of clauses and subclauses also is reliable.Because the accumulation of clauses and subclauses does not require digital signature, therefore correspondingly can carry out checking at a high speed and handle.

Measure in the part in many daily records of the information processing terminal of the present invention; When notified party differs from one another; Under the situation that the accumulated value corresponding to the clauses and subclauses of notified party is equal to each other, preserve the accumulation of single hop clauses and subclauses; And duplicate the accumulation of these single hop clauses and subclauses, and upgrade the accumulation of multistage clauses and subclauses separately, and under the accumulated value corresponding to the clauses and subclauses of notified party becomes situation about differing from one another, preserve the accumulation of the clauses and subclauses that multistage upgrades separately.

Therefore, the too much operation of the accumulation that is used to upgrade clauses and subclauses can be saved, thereby and the processing of the accumulation of clauses and subclauses can be quickened to be used to upgrade.

In the information processing terminal of the present invention, the daily record hidden parts is preserved master key, so that from producing encryption key through encrypting with master key the data that Entry ID produces, and with these clauses and subclauses of this encryption keys.

Therefore, can to reduce in order responding and the information of being preserved, thereby and can to reduce the memory size of the information processing terminal the disclosed request that will be provided subsequently.

In the information processing terminal of the present invention, the daily record hidden parts produces encryption key randomly, so that with these encryption keys clauses and subclauses, and the information processing terminal also comprises the storage area that hides Info, and is used for encryption key is stored as hiding Info.Therefore, can produce encryption key at random, and can improve security.

In the information processing terminal of the present invention, the part of daily record hidden parts deletion entry contents or whole.Therefore, can be depending on notified party and limit the content that can be disclosed, and can improve security.

The information processing terminal of the present invention also comprises the ID distribution portion, and it distributes different Entry IDs for each clauses and subclauses; The storage area that hides Info, its be used to store about each clauses and subclauses related with Entry ID hide hide Info; And part is openly confirmed in daily record; When asking the clauses and subclauses of openly being hidden; Acquisition or generation consistent with Entry ID, be used to discharge hiding information; Determine whether a side who makes request is disclosed this clauses and subclauses, and when definite this side meets disclosed condition, transmit this and be used to discharge this information hidden or clauses and subclauses from being discharged by the state of hiding.

Therefore, the clauses and subclauses of when notice, being hidden can be on request from being released by the state of hiding.Thereby when analyzing the fault in the information processing terminal, take place or deception (fraud), the information of being hidden can be disclosed on request subsequently.

In the information processing terminal of the present invention, when determining whether open clauses and subclauses, daily record confirms openly whether part to the clauses and subclauses that the user submits to this state of hiding from quilt to discharge, discloses these clauses and subclauses thereby the user is specified.

Therefore, the user finds out the content of the clauses and subclauses that will be disclosed, and can confirm open whether suitable to these clauses and subclauses.Thereby, can strengthen protection to user's privacy.

State notice method of the present invention is the information processing terminal to the method for server notification as the historical daily record of the state variation at himself terminal; This method may further comprise the steps: when the server that does not allow to be notified these clauses and subclauses is hidden these clauses and subclauses, produce daily record; Produce the daily record through signature, data that it is this daily record, produce through the accumulation hash that digital signature is invested corresponding to this daily record and being used to are verified the connection of the certificate of this digital signature; And send this through the signature daily record to server.

Therefore, but server certifying digital signature at first, thus find out that the accumulation hash is not distorted.In addition, the accumulation hash is verified, thereby making that the daily record find out received clauses and subclauses is not distorted becomes possibility.Protect privacy information through each notified party is changed the content of sending daily record, and can notice be provided to server, but so that tamper detection.

The invention provides a kind of information processing terminal, be used for receiving service from service server, the said information processing terminal comprises: a plurality of execution environments (1012); The service client (1011) that will on each of said a plurality of execution environments, carry out is used for receiving service from service server; One or more softwares comprise the said service client that will on each of said a plurality of execution environments, carry out, and the clauses and subclauses of the one or more softwares that will on different execution environments, carry out are accumulated in the different accumulation hash; Log store part (1007), the clauses and subclauses of storing said one or more softwares; Daily record component part (1004), the clauses and subclauses from be stored in said log store part are extracted corresponding clauses and subclauses to constitute daily record; And checking requested part (1005), require and require daily record in response to the checking of said service client, and receive said daily record.Wherein said checking requested part will be sent to corresponding service server with the daily record that the clauses and subclauses that operate in the one or more softwares on the said execution environment produce from the execution environment about said service client operation, verify said one or more softwares of in the said information processing terminal, carrying out with the service server of asking said correspondence.

The present invention also provides a kind of information processing terminal, is used for receiving service through using services client to bring in from service server, and the said information processing terminal comprises: system software; One or more application comprise the service client (1011) that is used for the service that receives from service server; Log store part (1007), storage is used for the clauses and subclauses of said system software and said one or more application; Daily record component part (1004), the clauses and subclauses from be stored in said log store part are extracted corresponding clauses and subclauses to constitute daily record; Checking requested part (1005) requires and requires daily record in response to the checking of said service client, and receives said daily record; And accumulation calculating section (2001), accumulate respectively corresponding to system's accumulation hash of said system software and corresponding to the application of said one or more application and accumulate hash.Wherein said checking requested part will be from being sent to said service server with said system software and said one or more daily record of using corresponding clauses and subclauses and said system accumulation hash and the generation of said application accumulation hash, with said one or more application of asking said service server checking in the said information processing terminal, to be carried out.

The present invention also provides a kind of safety equipment that are connected to the information processing terminal; Said information processing terminal storage system software and one or more application; And carry out said system software and said one or more application; Said one or more application comprises the service client that is used to the service that receives; Said safety equipment comprise: accumulate calculating section, it receives the order that comprises hash and accumulation hash number from the said information processing terminal, and accumulates respectively corresponding to system's accumulation hash of said system software and corresponding to the application of said one or more application and accumulate hash; Verification portion, it uses said system accumulation hash and said application accumulation hash, the executing state of said one or more application that checking is carried out in the said information processing terminal; And server, it is when the checking of being carried out by said verification portion success, provide said service to said service client.

The present invention also provides a kind of method of in the information processing terminal, using; Be used for receiving service from service server through using service client; Said method comprises: storage system software and one or more application, said one or more application comprise the service client (1011) that is used for the service that receives from said service server; Storage is used for the clauses and subclauses of said system software and said one or more application; Clauses and subclauses from be stored in the log store part are extracted corresponding clauses and subclauses to constitute daily record; Require and require daily record in response to the checking of said service client, and receive said daily record; And accumulate respectively corresponding to system's accumulation hash of said system software and corresponding to the application of said one or more application and accumulate hash; Wherein will be from being sent to said service server, with said one or more application of asking said service server checking in the said information processing terminal, to be carried out with said system software and said one or more daily record of using corresponding clauses and subclauses and said system accumulation hash and the generation of said application accumulation hash.

Advantage of the present invention

Information processing terminal utilization of the present invention changes hiding of each clauses and subclauses or non-hiding according to the server that will be notified, protects privacy information, and notice is provided, so that can detect distorting event log.In addition, occur in fault or the situation of deception in the information processing terminal like analysis, when receiving service, the information processing terminal of the present invention if necessary can be open subsequently by the information of hiding.

Description of drawings

Fig. 1 is the block diagram of the first embodiment of the present invention.

Fig. 2 is the block diagram of the second embodiment of the present invention.

Fig. 3 is the block diagram of the third embodiment of the present invention.

Fig. 4 is the block diagram of the fourth embodiment of the present invention.

Fig. 5 is the key diagram that the accumulation of the first embodiment of the present invention is calculated.

Fig. 6 (a) is the key diagram of notifying operation of the information processing terminal of the first embodiment of the present invention; Fig. 6 (b) is the key diagram of verification operation of the server of the first embodiment of the present invention, and Fig. 6 (c) is the key diagram of the operation that is used for the clauses and subclauses that open quilt hides of the first embodiment of the present invention.

Fig. 7 is the key diagram of the open operation of the first embodiment of the present invention.

Fig. 8 is the key diagram of the concrete example of the first embodiment of the present invention.

Fig. 9 is the key diagram of the concrete sample data of the first embodiment of the present invention.

Figure 10 is the key diagram that the accumulation of the third embodiment of the present invention is calculated.

Figure 11 is the key diagram of the notifying operation of the third embodiment of the present invention.

Figure 12 is the key diagram of the concrete example of the third embodiment of the present invention.

Figure 13 is the view of the software stack of the second embodiment of the present invention.

Figure 14 is based on the key diagram that the known technology checking operates in the system of the software on the information processing terminal.

Description of reference numerals

10 information processing terminals

1001 open/non-public definite parts

1002 daily record hidden parts

Part is measured in daily record more than 1003

1004 daily record component parts

1005 checking requested parts

1006 policy store parts

1007 log store parts

The 1008ID distribution portion

1009 storage areas that hide Info

Part is openly confirmed in 1010 daily records

1011 service clients

1012 virtual execution environments

1013 virtualization softwares

1014 system measurement parts

20 security modules

2001 accumulation calculating sections

2002 signature process parts

2003 accumulation hash storage areas

30 servers

3001 verification portion

The open part of 3002 daily records

3003 log saving parts

3004 server DB

3005 service servers

40 safety equipment

4001 accumulation calculating sections

4002 signature process parts

4003 accumulation hash storage areas

4004 verification portion

4005 server DB

4006 service servers

4007 execution environments provide part

4008 execution environment storage areas

Embodiment

Hereinafter will embodiment of the invention will be described with reference to drawings.

(first embodiment)

The first embodiment of the present invention has been described the information processing terminal, and it comprises anti-tamper storage area and the security module that is equipped with processor.This terminal begins to accumulate event log from the startup at terminal; Upgrade the accumulation hash; And send data to server; Thereby receive service; The said data of checking on this server; Said data produce through following operation: connect (i) event log, (ii) are attached to the data through digital signature of the accumulation hash corresponding with this event log, and the certificate (data that so connect will be called " through the daily record of signature " after this) that (iii) is used to verify this digital signature.

Fig. 1 is the block diagram of the first embodiment of the present invention.To describe the formation of embodiment with reference to Fig. 1.The information processing terminal 10 has open/non-public definite part 1001, and it confirms server, can be to the open clauses and subclauses of this server; Daily record hidden parts 1002, it hides the clauses and subclauses from non-public server; Parts 1003 are measured in many daily records, and it receives not by clauses and subclauses of hiding and will be by the clauses and subclauses of hiding, and come order to upgrade a plurality of accumulation hash according to the result who confirms who is done by open/non-public definite part 1001; Daily record component part 1004, its formation meets the daily record of announcement server; Checking requested part 1005, it is to the daily record of server notification through signature, thereby so that require checking; Policy store part 1006, its storage policy data; Log store part 1007, its store items; ID distribution portion 1008, it distributes Entry ID to clauses and subclauses; The storage area 1009 that hides Info, it stores hiding Info about hidden attribute; Part 1010 is openly confirmed in daily record, and it determines whether open clauses and subclauses corresponding to the input Entry ID; And service client 1011, it receives the service from server.

Security module 20 has accumulation calculating section 2001, and it receives hash and accumulation hash number, and upgrades corresponding accumulation hash; Signature process part 2002, it calculates digital signature through the accumulation hash; And accumulation hash storage area 2003, its storage accumulation hash.Security module 20 preferably has anti-tamper function.

Server 30 has: verification portion 3001, and its checking is through the daily record of signature; The open part 3002 of daily record, its reception hides Info, thereby so that cancel hiding of clauses and subclauses; Log saving part 3003, it preserves daily record; Server DB 3004, its record is used to verify the data of daily record; And service server 3005, it provides service.

The information processing terminal 10 is for example personal computer or portable mobile phone.Open/non-public definite part 1001, daily record hidden parts 1002, many daily records are measured part 1003, daily record component part 1004, checking requested part 1005, ID distribution portion 1008, daily record and are confirmed that openly part 1010 and service client 1011 are implemented as the software of being carried out by CPU that in the information processing terminal 10, provides.Policy store part 1006, log store part 1007 and the storage area 1009 that hides Info are made up of the memory device of for example HDD or semiconductor memory.

Security module 20 is for example chips with anti-tamper function of TPM of picture.Accumulation calculating section 2001 is utilized in the processor that provides in the security module 20 with signature process part 2002 and realizes, and accumulation hash storage area 2003 is realized through the memory device that in security module 20, provides.

Server 30 is high-performance personal computer for example.Verification portion 3001, the open part 3002 of daily record, service server 3005 etc. are implemented as the software of being carried out by the CPU that in server 30, provides.In addition, log saving part 3003 is made up of the memory device of for example HDD or semiconductor memory with server DB 3004.

To describe the measurement operation that is used for accumulation hash when incident takes place with reference to Fig. 5 now.The clauses and subclauses of the event information that will be produced by the information processing terminal 10 are passed to ID distribution portion 1008.ID distribution portion 1008 to clauses and subclauses provide can unique these clauses and subclauses of appointment Entry ID (ID allocation step S101).

Open/non-public definite part 1001 utilizes the policy data that is stored in the policy store part 1006 to confirm server, can be to the open clauses and subclauses of this server (open/non-public definite step S102).In this case, can be provided with for the supplier of the software of these clauses and subclauses, the user of system operator or the information processing terminal 10 that comprises the infosystem of the information processing terminal 10 can be to the people of its open policy data.

Daily record hidden parts 1002 is store items in log store part 1007, and to the server of its open clauses and subclauses not being hidden clauses and subclauses (step S103 is hidden in daily record).At this moment, how daily record hidden parts 1002 storage representation in the storage area 1009 that hides Info hides the information of these clauses and subclauses.

Hiding processing is for example the key that produces at random to be encrypted.In this case, encryption key is stored as hide Info corresponding with Entry ID.Perhaps, can symmetry do master key, be that unique encryption key is maintained secrecy for equipment, and also can use this master key come ciphered data to produce the key that will be used to hide from its Entry ID.Perhaps, these clauses and subclauses also can perhaps also can only be kept scrappy (fragmentary) information about these clauses and subclauses by deletion fully.In this case, when this clauses and subclauses open become subsequently maybe the time, these clauses and subclauses itself be stored as hide Info.

Many daily records are measured parts 1003 and are received not by clauses and subclauses of hiding and will be by the clauses and subclauses of hiding, and order security module 20 is upgraded a plurality of accumulation hash (many daily records determination step S104) according to the result who confirms who is done by open/non-public definite part 1001.More specifically, the accumulation hash number and the hash of clauses and subclauses is passed to security module 20, thereby is used for being accumulated to processing by the hash of these clauses and subclauses of hiding on request corresponding to the accumulation hash of each server so that order security module 20 is carried out.

The accumulation calculating section 2001 of security module 20 receives this hash and accumulation hash number, thereby upgrades corresponding accumulation hash.To accumulate hash and be stored in (accumulation computing step S105) in the accumulation hash storage area 2003.

To describe to the operation of service server notify status service client with reference to Fig. 6 A and Fig. 6 B now.In order to receive the service from service server, the service client utilization should operation be sent notice, suited so that service server can be found out the current state of the information processing terminal.At first, service client 1011 requires checking (checking request step S111) from checking requested part 1005.

Checking requested part 1005 requires the daily record through signature (through the log request step S112 of signature) from daily record component part 1004.Daily record component part 1004 is extracted corresponding clauses and subclauses from log store part 1007; On request these clauses and subclauses are carried out to hide and handle, thereby so that form the daily record that meets announcement server; And specify accumulation hash number, thereby require signature (signature request step S113) from signature process part 2002 corresponding to this announcement server.

The digital signature (signature process step S114) that signature process part 2002 is calculated corresponding to the accumulation hash of the accumulation hash number that has distributed appointment.The calculating of digital signature is to be used to utilize the signature key of security module 20 and to handle the typical calculating of accumulation hash, and the well-known technology of for example RSA capable of using is carried out.Suppose that the hash that belongs to same data sequence has identical value, and the responsible algorithm of the result of digital signature and become mutually the same.For this reason, utilization is taked the countermeasure that resends attack is suited from the random number of server reception or through making clauses and subclauses comprise timestamp.

This digital signature is the digital signature that is used for the accumulation hash of the daily record that correspondence reconstitutes.The checking requested part 1005 that receives digital signature from signature process part 2002 produces the daily record of warp signature, and sends this daily record to verification portion 3001 through signature (through the daily record forwarding step S115 of signature).

The daily record that verification portion 3001 receives through signature; Authentication certificate at first; Utilize the public keys that is included in the certificate to verify the signature that invests the accumulation hash then, thereby so that find out that this accumulation hash is not distorted; Calculating is from the accumulation hash of the daily record of reception clauses and subclauses; And accumulation hash of being calculated and the accumulation hash that is received are checked, inconsistent thereby checking does not exist between the daily record of accumulation hash that is received and clauses and subclauses.

In addition, be used to verify the data of daily record from server DB 3004 extractions, and verify this daily record (daily record verification step S116).Verification portion 3001 with received log store through signature in log saving part 3003.

When the mode of operation that receives service client 1011 confirmed affirmation out of question, service server 3005 provided service (service provides step S117).Preferably, during a series of communication processs that are used to notify and verify, between service client 1011 and service server 3005, share session key, and when service is provided, this session key is used for communication.

To describe the operation that when the information processing terminal 10 transmissions are notified to server 30, is used for openly hiding clauses and subclauses with reference to Fig. 7 and Fig. 6 C now.

It is open by the specified clauses and subclauses of Entry ID (step S121 is openly confirmed in daily record) that the daily record of the information processing terminal 10 confirms that openly part 1010 determines whether.When definite these clauses and subclauses can be disclosed, extract hiding Info of relevant these clauses and subclauses from the storage area 1009 of hiding Info, and hiding Info of will extracting like this is sent to these clauses and subclauses with the destination that is disclosed (forwarding step S122 hides Info).

The disclosed people of Request Log is the server administrators that for example find the user of fault or suspect deception; And utilizing Entry ID to specify will be by the disclosed clauses and subclauses of request.Daily record confirms that openly part 1010 is definite automatically open according to the rule of having given (for example, in response to the rule of only coming open clauses and subclauses from the request of certified user or server).Owing to possibly exist the information that will be disclosed to comprise the situation of privacy information, also can comprise by the order conduct of user's input and openly confirm the open element of confirming (element) that part 1010 is done by daily record.In this case, the user consider content and the disclosed necessity of clauses and subclauses and make definite, and to information processing terminal input command.In response to the disclosed request of clauses and subclauses, also can be but not Entry ID inputs to daily record openly confirms part 1010 with the clauses and subclauses of being hidden.In addition, also can be with replacing hiding Info being sent to clauses and subclauses with the destination that is disclosed from the clauses and subclauses that discharged by hidden state.

The open part 3002 of the daily record of server 30 receives and hides Info, from the hiding clauses and subclauses of log saving part 3003 extraction quilts, and with the state release (hiding release steps S123) of these clauses and subclauses from being hidden.

To describe concrete sample data with reference to Fig. 8 A to Fig. 8 D now.Fig. 8 A shows the concrete sample data that is attached to clauses and subclauses.First row shows Entry ID.Second row shows the timestamp of presentation of events time of origin.The third line shows the type of incident, has wherein described the loading of assembly here.Another kind of possible event type except loading is for example to unload.Fourth line shows title, and it makes can specify relevant assembly.Fifth line shows the hash of assembly.The 6th row shows version.Some row depend on the type of incident and become and there is no need.

Fig. 8 C shows the concrete sample data that is attached to strategy.First row shows the title of service.Second row shows and utilizes the name list of serving the assembly that provides.The third line shows the appointment to the server that service is provided.The title of the server (or service) that in addition, allows to be notified also can be included in the strategy.

General description about the concrete example of data at first will be provided.When power-on, the information processing terminal is carried out processing successively with the order of BIOS, loading procedure and kernel program, and measures consequent incident.Next, utilize the function of kernel program and move the mensuration and the execution of application.

Confirm the service that event belongs to; Further make the confirming of condition which server to meet notice about; And carry out and measure.The clauses and subclauses of not hiding are accumulated to the accumulation hash corresponding to the server that meets notification condition, and the clauses and subclauses that will partly encrypt simultaneously are accumulated to the accumulation hash corresponding to the server that does not meet notification condition.

Under the situation of necessity, for example use to set up the situation about being connected with server, to be notified to the daily record of server from clauses and subclauses foundation, and to corresponding accumulation hash signature and send it to server.Whether received daily record is distorted in server authentication, is confirming that this daily record is not distorted the back and verified this daily record then.After finding out from the content of daily record whether assembly requested, that be authorized to is moving, service is provided.

If after beginning that service is provided, owing to the existence of the assembly of another service is broken down, the details of the clauses and subclauses of this assembly is disclosed then, so that allow server administrators to carry out verification.

To describe the concrete example of first embodiment with reference to Fig. 9 now.In this concrete example, always send about all daily records of system and do not change, and therefore consider efficient and measure respectively according to each server.For this reason, the system measurement part is provided separately, but this formation is not absolutely necessary.

At first, when executive module, incident takes place, so produce clauses and subclauses.In clauses and subclauses, describe timestamp, type, title, hash and version, all these were described at preamble.In this example, carry out processing with the order of BIOS, loading procedure, kernel program, application A, Application of B and application C.Each of BIOS, loading procedure, kernel program, application A, Application of B and application C also can comprise a plurality of assemblies.In this case, produce the execution result of clauses and subclauses as each assembly.Using A is the client software of service A.Likewise, Application of B is the client software of service B, and uses the client software that C is service C.On stricti jurise, following description is applied to follow closely kernel program measurement operation afterwards.Yet, about BIOS, loading procedure and kernel program, the similar processing of having supposed also executed.

ID distribution portion 1008 is sequentially distributed label (numeral) to the clauses and subclauses that produce.Label from the beginning and monotone increasing.Even when power supply is turned off, said value is not reset yet and is retained.

Open/non-public definite part 1001 receives the clauses and subclauses that have been assigned with Entry ID, and confirms that through the strategy that use is stored in the policy store part 1006 which server meets the condition of notice.The service that assignment component belongs to and corresponding to the server of this service, and confirm and possibly notice is provided to this server.

In addition, also can allow notice to be provided to relevant server.In this case, description to this effect (effect) is provided in strategy.In this example, confirm BIOS, loading procedure and kernel program clauses and subclauses corresponding to system; Confirming can be to server A notification applications A; Confirming can be to server B notification applications B; And confirming can be to server A and server B notification applications C.

Be utilized in the clauses and subclauses of example among Fig. 8 A, in Fig. 8 C example tactful A and in Fig. 8 D the tactful B of example, concrete description is provided.

Open/non-public definite part 1001 obtains title drm-b.dll from clauses and subclauses, and in " service document " field of strategy, searches for this title.Though be not included in (Fig. 8 C) among the tactful A, this title is included in (Fig. 8 D) among the tactful B.Therefore, understand these clauses and subclauses corresponding to Application of B.The title of the server that the content representation in " server " field of tactful B should be notified.In the present embodiment, this title is drm.example.org.Like this, confirm and can notify this clauses and subclauses to drm.example.org (supposing that it is a server B), and can not be to other server notifications.

In order to serve through the title high-speed search, it is desirable that this mode below the employing is preserved data effectively: for example use database, through title retrieval (retrieve) service.

Under the situation of the clauses and subclauses that belong to system, daily record hidden parts 1002 with clauses and subclauses in statu quo (as-is) be passed to system measurement part 1014.In other cases, make the clauses and subclauses process hide operation, and original entries and the clauses and subclauses of hiding are passed to many daily records mensuration parts 1003.In the accompanying drawings, the oblique line on the clauses and subclauses shows these clauses and subclauses and has stood hiding operation.

Example is hidden operation to be described.Entry ID and timestamp are stayed and are not hidden.At first, the hash of plaintext (plain) part that calculating will be hidden, and with the hash insertion the third line that is calculated.Next, from being created in the key that uses in the encryption the data that produce through Entry ID being encrypted with master key.At last, the fourth line of clauses and subclauses and row are thereafter encrypted, hide operation thereby carry out.Fig. 8 B shows the clauses and subclauses that example is hidden.Under the method, do not store any information especially and be used as hiding Info.Its reason is to produce the key that is used to decipher through receive first row from server.When generation is used for encrypted secret key at random, store this key accordingly with Entry ID.

Storage original entries and the tabulation that can be sent out the server of notice in log store part 1007.If also storage is by the clauses and subclauses of hiding, then improved the processing speed of when notice, carrying out.Yet, owing to need redundant storage space, so whether store them according to the Capacity Selection of log store part 1007.

System measurement part 1014 is calculated the hash of clauses and subclauses, and the hash that will calculate like this is sent to accumulation calculating section 2001 together with the accumulation hash number corresponding to this system.2001 pairs of accumulations of accumulation calculating section hash S accumulates, and this accumulation hash S is the accumulation hash corresponding to this system.

Many daily records measure that parts 1003 receive original entries and by the clauses and subclauses of hiding, and will for the handled hash of server separately together with being sent to the accumulation calculating section 2001 in the Servers-all corresponding to the accumulation hash number of server separately.The a plurality of accumulation hash that will when the accumulating first of clauses and subclauses, not be used are distributed as the accumulation hash numbers, and store this number accordingly with server, so that use subsequently.

Accumulation calculating section 2001 is accumulated to the hash of clauses and subclauses in the accumulation hash corresponding to server separately; For example, the hash of the clauses and subclauses that will distribute for server A is accumulated to accumulation hash A, and the hash of the clauses and subclauses that will distribute for server B is accumulated to accumulates hash B.Under the situation of the concrete example shown in Fig. 9, with the hash of clauses and subclauses in statu quo be accumulated to about using the relevant accumulation hash A of clauses and subclauses of A, and be accumulated to by the hash of the clauses and subclauses of hiding with about the relevant accumulation hash A of the clauses and subclauses of Application of B.Conversely, the hash of the clauses and subclauses of being hidden is accumulated to and the relevant accumulation hash B of clauses and subclauses about application A, and with the hash of clauses and subclauses in statu quo be accumulated to about the relevant accumulation hash B of the clauses and subclauses of Application of B.

In when accumulation, for the accumulation hash corresponding to the server-assignment of the service that also the application that does not start is also accumulated.Can suppose that most of service allows independent their clauses and subclauses of server notification to them.The clauses and subclauses of another service are accumulated in in the accumulation hash corresponding to the server-assignment of the service of the application that does not start, and the clauses and subclauses of therefore hiding obtain accumulation under multiple situation.In this case, be equal to each other for becoming corresponding to a plurality of not values of the accumulation hash of the server-assignment of the service of the application of startup.Through utilizing this characteristic, as long as the value of accumulation hash is equal to each other, the execution of accumulation is single accumulation hash just as them.When producing difference in the value of accumulation hash, duplicate these accumulation hash.Subsequently, respectively these accumulation hash are accumulated, thereby can reduce the required operation amount of accumulation.

The flow process of accumulation has been described hereinbefore.Now notice will be described.The title of the server that the service client of reception service will be notified to the transmission of daily record component part for notice, and require daily record through signature.

Daily record component part 1004 is extracted clauses and subclauses from log store part 1007, and connects the clauses and subclauses of extracting like this, thereby so that creates daily record.At this moment, when the title of server is included in the tabulation of server that must notice, in statu quo connect clauses and subclauses.When not comprising this title, the clauses and subclauses of hiding are connected mutually.When being stored in the clauses and subclauses of hiding when accumulating, the clauses and subclauses of using these to hide.In addition, require signature process part 2002 that signature is invested corresponding to the accumulation hash of the daily record of this system with corresponding to the accumulation hash of service.

Signature process part 2002 invests signature the accumulation hash of appointment.Daily record component part 1004 is back to checking requested part 1005 with daily record and signature, and verifies that requested part 1005 further couples together certificate and they, thereby produces the daily record through signature, and should be through the daily record of signing to server notification.For example, server A 301 receptions are through the daily record A of signature, and it comprises the data that belong to the accumulation hash A that signs through the accumulation hash S and the warp of signature, daily record and the certificate with clauses and subclauses of hiding of Application of B.Server B 302 receptions are through the daily record B of signature, and it comprises the data that belong to the accumulation hash B that signs through the accumulation hash S and the warp of signature, daily record and the certificate with clauses and subclauses of hiding of using A.

In each server, daily record is stored in the log saving part 3003.Each server is authentication certificate at first; Further utilize the public keys checking that is included in the certificate to invest the signature of accumulation hash, thereby find out that this daily record is not distorted; Calculating is from the accumulation hash of the daily record of the clauses and subclauses that received; And hash of being calculated and the accumulation hash that is received are checked, thereby so that checking does not exist inconsistent between the daily record of accumulation hash that is received and clauses and subclauses.Even relate to hiding clauses and subclauses, also hash being calculated with the identical mode of situation of the clauses and subclauses of not hiding, thus the calculating cumulative hash.Each server can find out that for service is provided be necessary and enough clauses and subclauses, and can further utilize about the information of server DB and verify when system provides service, and whether the state of the information processing terminal causes any problem.

For example, assembly that confirm to use A is without illegal, and undelegated assembly is in operation, and desired on the contrary another assembly (for example, drm-b.dll etc.) to move be possible.The user at terminal need not disclose the clauses and subclauses that up to the present are not asked to, so privacy is protected.

Preceding text are the flow process of notice.To describe open now.The user who supposes server A has learnt that the service client of corresponding with service does not have normal running, service can not be provided, and to server A the notice to this effect be provided.When the keeper of server A receives this notice; And when considering to confirm the necessity of content of the clauses and subclauses (clauses and subclauses of Application of B) hidden in order to analyze this fault; The Entry ID of the clauses and subclauses that the keeper will hide is sent to daily record and openly confirms part 1010, thus request disclosing to these clauses and subclauses.

Daily record confirms that openly part 1010 determines whether open clauses and subclauses corresponding to Entry ID.In the present embodiment, Entry ID is from the clauses and subclauses of hiding, to extract, and encryption key is from producing through using master key that Entry ID is encrypted the data that produce; Clauses and subclauses are discharged from the state of hiding, thereby so that submit the content of clauses and subclauses to the user, thereby the user determines whether to disclose these clauses and subclauses.

When the user found out the content of the clauses and subclauses that belong to Application of B, it was open to confirm that clauses and subclauses are allowed to, and to this effect input command, the clauses and subclauses that the information processing terminal 10 will not hidden are sent to server A.Server A is calculated the hash corresponding to the unformatted part of hidden parts; And the hash that will calculate like this compares with the respective hash (corresponding to the hashed value of the third line in the example shown in Fig. 8 B) that is included in the hiding clauses and subclauses, thereby the content of finding out these clauses and subclauses is correct.

Preceding text are disclosed flow processs.In the time must being disclosed in the content of the clauses and subclauses of hiding when notifying subsequently, these contents can be disclosed.

As stated, in the present embodiment, be the accumulation hash of each server for saving clauses and subclauses, and will be sent to server through the accumulation hash of digital signature and the daily record of the clauses and subclauses that reconstitute.Server is carried out the checking to digital signature, and the consistance between the daily record of checking accumulation hash and these clauses and subclauses.The digital signature that server at first utilizes checking to invest the accumulation hash verifies that the accumulation hash that is received is the accumulation hash that is stored in the information processing terminal; Calculating is from the accumulation hash of the daily record of the clauses and subclauses that received; And accumulation hash of being calculated and the accumulation hash that is received are checked, inconsistent thereby checking does not exist between the daily record of the accumulation hash that is received and these clauses and subclauses.Thereby safety and privacy information all are protected.

In the present embodiment,, each server is described as providing in application layer the server of service, for example uses A and Application of B for cutline.Yet each server also can provide the for example service of a plurality of softwares of the different layers of BIOS, kernel program and application.When the information processing terminal was mobile phone, each server also can provide the server of portable mobile phone as the server of the manufacturer of equipment and the operator that provides services on the Internet.Even in this case, also be the accumulation hash of each server for saving clauses and subclauses.

In the present embodiment, ID distribution portion 1008 is used in the Entry ID of unique these clauses and subclauses of appointment to the clauses and subclauses branch; Yet, also can identical ID be distributed to clauses and subclauses with identical content.

In the present embodiment, open/non-public definite part 1001 definite single servers that can be disclosed, and on the basis of each server, make about exist/there not being hiding confirming; Yet, also can make and confirming so that carry out different hiding processing to another from a server.Though server is found out each assembly in the present embodiment, the information processing terminal for example certificate capable of using is carried out checking, and makes clauses and subclauses comprise the result of checking.

In the present embodiment, openly belong to all clauses and subclauses of system, change the content that to be notified but also can be each server.For example, the user also can provide strategy, and the clauses and subclauses of system are applied restriction.For example, do not notify the clauses and subclauses that belong to the device server that does not need to be notified, unknown thereby the kind of employed equipment still can keep.

(second embodiment)

Second embodiment of this aspect has described the situation of service client in the virtual execution environment operation.Because virtualization software separates virtual execution environment from the execution environment of being realized by kernel program, these environment do not interact, and needn't notify the assembly that operates in the different execution environments.For this purpose, virtualization software and before virtualization software is carried out employed assembly must verify.

Fig. 2 is the block diagram of the second embodiment of the present invention.To describe its formation with reference to Fig. 2.Except comprising the relevant element of the described information processing terminal of first embodiment; The information processing terminal 10 has virtual execution environment of being realized by kernel program 1012 and the virtualization software 1013 that makes that virtual execution environment 1012 is carried out, and said kernel program is different from the kernel program of initial startup.

The operation at terminal will be described now., measuring and startup virtualization software 1013 after starting kernel program as the powering up (power-on) result of the information processing terminal 10.Virtual execution environment 1012 is prepared and carried out to virtualization software 1013.Utilize virtualization software 1013 from original execution environment separately with virtual execution environment 1012, and virtual execution environment with operate in this environmental applications and directly do not influence original execution environment.

In virtual execution environment 1012, carry out service client 1011.Though also measure service client 1011 at this moment, use to be different from the hash that is used for by the accumulation hash of the mensuration of original execution environment and to be used for accumulation.When carrying out a plurality of service client 1011, as among first embodiment, carrying out a plurality of accumulations.In the case, use the hash that is different from the accumulation hash of in original execution environment, using to be used for accumulation.

The service client that in original execution environment, moves utilizes the accumulation hash of original execution environment and to server notice is provided; And the service client that in virtual execution environment, moves utilizes the accumulation hash of virtual execution environment and to server notice is provided, so that further realize secret enhancing.

Though use many resources, a plurality of execution environments of preparation capable of using also reduce the services client terminal number of distributing to an execution environment and the enhancing that further realization is maintained secrecy.The carrying out that reduces the services client terminal number also can make distributes an execution environment to a service client.In the case, when breaking down, can indicate some in the assembly of execution environment, virtualization software and lower-level that the reason that causes fault is service client, service client.

To describe concrete example with reference to Figure 12.After the information processing terminal starts; According to the BIOS that in original execution environment, starts, loading procedure, kernel program, VL (corresponding to the abbreviation of the virtualization layer of virtualization software), kernel program ' (Kernel '-corresponding to virtual execution environment), use A and Application of B, and the application C that in virtual execution environment, carries out and each software of sequence starting of using D.Figure 13 A shows the view of the software stack that realizes at this state.

Supposing each serves permission and notifies their notice to their server separately.Suppose BIOS, loading procedure, kernel program, VL and kernel program ' be clauses and subclauses with the system that is disclosed.

Correct for the state that guarantees virtual execution environment must also guarantee the correct of original execution environment, thereby and the clauses and subclauses that will be used for original execution environment be submitted to virtual execution environment.Utilize virtualization software that these clauses and subclauses are submitted to virtual execution environment.To the clauses and subclauses submitted like this and the kernel program that is used as virtual execution environment ' (Kernel ') clauses and subclauses accumulate, therefore form accumulation hash S ' as virtual execution environment.

As among first embodiment, BIOS, loading procedure, kernel program, VL, application A and Application of B are accumulated.After VL starts, start kernel program ' (Kernel '), and start application C subsequently and use D.Will be at kernel program ' (Kernel ') clauses and subclauses that in virtual execution environment, produce after starting are accumulated in the accumulation hash that is independent of original execution environment.

On behalf of which clauses and subclauses, the arrow among Figure 12 be accumulated in each accumulation hash.For example, the clauses and subclauses of using A in statu quo are accumulated among the accumulation hash A, and the clauses and subclauses of Application of B are accumulated among the accumulation hash A with the mode of hiding.The not clauses and subclauses of cumulative application C and the clauses and subclauses of using D.Equally, the clauses and subclauses of using C in statu quo are accumulated among the accumulation hash C, and the clauses and subclauses that will use D are accumulated in the mode of hiding and accumulate among the hash C.The clauses and subclauses of the clauses and subclauses of cumulative application A and Application of B not.

Will from about the execution environment of service client operation with operate in the daily record that produces in the clauses and subclauses of the application the execution environment to each server notification.For example, will comprise through the signature accumulation hash S and through the signature accumulation hash A through the signature daily record A notify to server A, and will comprise through the signature accumulation hash S ' and through the signature accumulation hash C through the signature daily record C notify to server C.

Like this, VL guarantees that execution environment does not interact.Because the assembly that operates in the different execution environments can not cause fault or deception, so need not notify the clauses and subclauses of this assembly.

In the present embodiment,, kernel program carries out virtualization software 1013 after starting.Yet shown in Figure 13 B, the program that at first starts also can be a virtualization software 1013, and this kernel program (Kernel) and other kernel program ' (Kernel ') also can on this software, start.

(the 3rd embodiment)

In the third embodiment of the present invention, will describe having movably the information processing terminal of safety equipment, said safety equipment are equipped with anti-tamper storage area and processor.Fig. 3 is the block diagram of the third embodiment of the present invention.

To describe the formation at terminal with reference to Fig. 3.Each forms the contents processing of frame the same with described in first embodiment.The information processing terminal 10 has open/non-public definite part 1001; Daily record hidden parts 1002; Part 1003 is measured in many daily records; Daily record component part 1004; Checking requested part 1005; Policy store part 1006; Log store part 1007; And service client 1011.

Safety equipment 40 have accumulation calculating section 4001; Signature process part 4002; Accumulation hash storage area 4003; Verification portion 4004; Server DB 4005; And service server 4006.

To describe the operation that when incident takes place, is used to accumulate and measure hash with reference to Figure 10 now.The clauses and subclauses that occur in the event information in the information processing terminal 10 are passed to open/non-public definite part 1001.Utilization is stored in the policy data in the policy store part, and open/non-public definite part 1001 is confirmed can be to the server (open/non-public definite step S201) of its open clauses and subclauses.At this moment, open/non-public definite part 1001 is also confirmed the service server 4006 in safety equipment 40.

Daily record hidden parts 1002 is hidden clauses and subclauses (step S202 is hidden in daily record) to the server that is not disclosed clauses and subclauses.At this moment, the clauses and subclauses of being hidden are stored in the log store part 1007.

Many daily records are measured part 1003 and are received not by clauses and subclauses of hiding and the clauses and subclauses of hiding; And the result who confirms according to being done by open/non-public definite part 1001 is sent to safety equipment 40 (many daily records determination step S203) with the order of upgrading a plurality of accumulation hash.More specifically; Accumulation hash number and hash are included in the order that is sent to safety equipment 40, and order the processing of carrying out the hash that is used to accumulate hiding clauses and subclauses corresponding to the accumulation hash of each server (comprising the service server 4006 in the safety equipment 40) on request.

The accumulation calculating section 4001 of safety equipment 40 receives the order that comprises this hash and accumulation hash number, and upgrades corresponding accumulation hash.To accumulate hash and be stored in (accumulation computing step S204) in the accumulation hash storage area 4003.

With reference to Figure 11, now will be to making service client describe to the operation of service server transmit status notice.Service client 1011 requests verification requested parts 1005 are carried out checking (checking request step S211).

Checking requested part 1005 is from the daily record (through signature log request step S212) of daily record component part 1004 requests through signature.Daily record component part 1004 is extracted corresponding clauses and subclauses from log store part 1007; If necessary, clauses and subclauses are hidden processing; And form daily record corresponding to the server that will be notified; And to signature process part 4002 processing (signature request step S213) that asks for an autograph.

Signature process part 4002 calculation sources are from the digital signature (signature process step S214) of the accumulation hash of the accumulation hash number that is assigned appointment.The calculating of digital signature generally is to be used to utilize the signature key of safety equipment 40 and to handle the operation of accumulation hash, and is to utilize the well-known technology of RSA for example to carry out.

Digital signature is the digital signature of distributing to corresponding to the accumulation hash of the daily record that reconstitutes.Receive the daily record of checking requested part 1005 generations of digital signature from signature process part 2002, and will be sent to verification portion 4004 (through the daily record forwarding step S215 that signs) through the daily record of signature through signature.

The daily record that verification portion 4004 receives through signature; Authentication certificate at first; Public keys through utilization is included in the certificate verifies that investing the signature of accumulating hash finds out that the accumulation hash is not distorted; Calculating is from the accumulation hash of the daily record of the clauses and subclauses that received; And the hash that will calculate is like this checked with the accumulation hash that is received, and is inconsistent thereby checking does not exist between the daily record of the accumulation hash that is received and these clauses and subclauses.In addition, extraction is used to verify the data of daily record from server DB 4005, and verifies this daily record (daily record verification step S216).

When the no problem affirmation of the mode of operation that receives service client 1011, service server 4006 provides service (service provides step S217).During the process of a series of notices and checking traffic operation, between service client 1011 and service server 4006, share session key, and this session key is used for suiting in the communication that the execution when serving is provided.

As stated, for example, important personal information is stored in the safety equipment in advance, and allows the single service client acquisition of successful execution checking and operate this personal information, practical thereby the safe handling of personal information becomes.Though in safety equipment, realize server capability in the present embodiment, also can realize this server capability in the common server in network.In the foregoing description, verification portion 4004 is described as receiving from the checking requested part 1005 of the information processing terminal 10 the accumulation hash of warp signature.Yet verification portion 400 also can receive the accumulation hash that is stored in the accumulation hash storage area 4004 through the internal interface in the safety equipment; And receive the daily record that only reconstitutes from checking requested part 1005.

(the 4th embodiment)

The fourth embodiment of the present invention has been described the situation of carrying out service client in the virtual execution environment in the 3rd embodiment.Fig. 4 is the block diagram of the fourth embodiment of the present invention.

Except the element of the information processing terminal that comprises the 3rd embodiment; The virtualization software 1013 that the information processing terminal 10 has the virtual execution environment of being realized by kernel program 1012 and makes virtual execution environment 1012 realizations, this kernel program is different from the kernel program of initial startup.

Except the safety equipment with the 3rd embodiment, safety equipment 40 have the execution environment storage area 4008 that the execution environment that virtual execution environment is provided provides part 4007 and storing virtual execution environment.

To describe the operation of the information processing terminal now., measuring and startup virtualization software 1013 after starting kernel program as the powering up the result of the information processing terminal 10.

Virtualization software 1013 provides part 4007 request execution environments from the execution environment of safety equipment 40.The reflection (image) that execution environment provides part 4007 from execution environment storage area 4008, to extract virtual execution environment, and the reflection that will extract like this is sent to virtualization software 1013.And virtualization software 1013 is carried out virtual execution environment 1012.Utilize virtualization software 1013 that virtual execution environment 1012 and original execution environment branch are come, and original execution environment does not directly influence virtual execution environment and operate in application wherein.

In virtual execution environment 1012, carry out service client 1011.At this moment, also measure service client 1011, but be to use the hash of the accumulation hash that is different from the mensuration that is used for original execution environment to accumulate.When carrying out a plurality of service client 1011, calculate as among the 3rd embodiment, carrying out a plurality of accumulations, and also use the hash that is different from the accumulation hash of using by original execution environment to be used for accumulation in the case.

The service client that operates in the original execution environment utilizes the accumulation hash of original execution environment and to service server notice is provided; And the service client that operates in the virtual execution environment utilizes the accumulation hash of virtual execution environment and to service server notice is provided, thereby further realizes secret enhancing.

The daily record that verification portion 4004 checking is notified, and be used to find out the content of daily record from the data of server DB 4005.Service server 4006 receives this result who finds out also, determines whether to provide service.For example, service server 4006 separately response by execution environment provide part 4007 that send, from the request that operates in the application in the virtual execution environment 1012.In the present embodiment, execution environment provides part 4007 that virtual execution environment 1012 only is provided, but also provides operating in this environmental applications.In the foregoing description, hypothesis verification part 4004 receives the accumulation hash of warp signature from the checking requested part 1005 of the information processing terminal 10.Yet verification portion also can receive the accumulation hash that is stored in the accumulation hash storage area 400 through the internal interface in the safety equipment, and receives the daily record that only reconstitutes from checking requested part 1005.

In the present embodiment, accumulation calculating section, accumulation hash storage area and signature process part provide separately in safety equipment.Yet as among first embodiment, the information processing terminal also can be equipped with safety equipment, and utilizes the function of the information processing terminal also can realize the for example part measurement operation of system measurement.In addition, when connecting safety equipment, also can reset is kept at the accumulation hash in the safety equipment.

With reference to these specific embodiments the present invention is described in detail.Yet it is obvious that to the technician in present technique field, under the situation of the spirit and scope of the present invention, can carry out variations and modifications to the present invention.

The Japanese patent application (JP-2006-171727) that present patent application was submitted to based on June 21st, 2006, its content is as quoting merging so far.

Industrial usability

The state of the information processing terminal of the present invention announcement information processing terminal in the protection privacy information is so that safety and privacy all can be protected.For example, the present invention can be applicable to the various information processing terminals, for example portable mobile phone, PDA(Personal Digital Assistant), personal computer, music player (and register), camera, video camera etc.

Claims (17)

1. an information processing terminal is used for receiving service from service server, and the said information processing terminal comprises:

A plurality of execution environments (1012);

The service client (1011) that will on each of said a plurality of execution environments, carry out is used for receiving service from service server;

One or more softwares comprise the said service client that will on each of said a plurality of execution environments, carry out, and the clauses and subclauses of the one or more softwares that will on different execution environments, carry out are accumulated in the different accumulation hash;

Log store part (1007), the clauses and subclauses of storing said one or more softwares;

Daily record component part (1004), the clauses and subclauses from be stored in said log store part are extracted corresponding clauses and subclauses to constitute daily record; And

Checking requested part (1005) requires and requires daily record in response to the checking of said service client, and receive said daily record, wherein

Said checking requested part will be sent to corresponding service server with the daily record that the clauses and subclauses that operate in the one or more softwares on the said execution environment produce from the execution environment about said service client operation, verify said one or more softwares of in the said information processing terminal, carrying out with the service server of asking said correspondence.

2. the information processing terminal as claimed in claim 1, wherein, at least one of said a plurality of execution environments is virtual execution environment.

3. the information processing terminal as claimed in claim 2; Wherein, The clauses and subclauses that will be used for original execution environment are submitted to said virtual execution environment, and clauses and subclauses of submitting like this and the clauses and subclauses that are used for said virtual execution environment are accumulated, and therefore are formed for the accumulation hash of said virtual execution environment.

4. an information processing terminal is used for receiving service through using services client to bring in from service server, and the said information processing terminal comprises:

System software;

One or more application comprise the service client (1011) that is used for the service that receives from service server;

Log store part (1007), storage is used for the clauses and subclauses of said system software and said one or more application;

Daily record component part (1004), the clauses and subclauses from be stored in said log store part are extracted corresponding clauses and subclauses to constitute daily record;

Checking requested part (1005) requires and requires daily record in response to the checking of said service client, and receives said daily record; And

Accumulation calculating section (2001) is accumulated respectively corresponding to system's accumulation hash of said system software and corresponding to the application of said one or more application and is accumulated hash, wherein

Said checking requested part will be from being sent to said service server with said system software and said one or more daily record of using corresponding clauses and subclauses and said system accumulation hash and the generation of said application accumulation hash, with said one or more application of asking said service server checking in the said information processing terminal, to be carried out.

5. the information processing terminal as claimed in claim 4 also comprises:

Open/non-public definite part, it determines whether to allow for each that said service server is notified said clauses and subclauses; And

Hidden parts, it hides operation to the clauses and subclauses that do not allow to be notified,

Wherein, said accumulation calculating section produces said application accumulation hash through the following step: (i) for the one or more clauses and subclauses that allow to be notified, carry out said calculating based on allowing said one or more clauses and subclauses of being notified; And (ii) for the one or more clauses and subclauses that do not allow to be notified; Carry out said calculating based on one or more hiding clauses and subclauses, said one or more hiding clauses and subclauses are through the said one or more clauses and subclauses that do not allow to be notified are carried out the information that said hiding operation obtains.

6. the information processing terminal as claimed in claim 5, wherein said checking requested part also send the data that are attached to said system accumulation hash and said application accumulation hash.

7. the information processing terminal as claimed in claim 5, wherein, said accumulation calculating section repeats following steps through the order according to the program of carrying out, and produces said system accumulation hash: the hashed value of (i) calculating the said clauses and subclauses that are used for said system software; (ii) said hashed value is connected with said system's accumulation hash; (iii) calculate through connecting the hashed value of the information that obtains; (iv) utilize the hashed value of the said information that obtains through connection to upgrade said system accumulation hash,

Wherein, said accumulation calculating section repeats following steps through the order according to the program of carrying out, and produces said application accumulation hash: (i) under the situation of the notice that allows said clauses and subclauses, calculate the hashed value of the clauses and subclauses that are used for said one or more application; (ii) under the situation of the notice that does not allow said clauses and subclauses, calculate the hashed value of the clauses and subclauses of hiding; (iii) said hashed value is connected with said application accumulation hash; (iv) calculate the hashed value of the information that obtains through connection, and (v) utilize the hashed value of the said information that obtains through connection to upgrade said application accumulation hash.

8. the information processing terminal as claimed in claim 5, wherein, the said information processing terminal receives service from second service server that is different from said service server,

Wherein, Said accumulation calculating section is carried out calculating based on the clauses and subclauses that are used for said one or more application; So that produce corresponding to second of said one or more application and use the accumulation hash; Said one or more application comprises service client at least, and this service client receives service from said second service server

Wherein, using the accumulation hash said second is to accumulate under the situation of the identical value of hash with said application, and said accumulation calculating section is stored said application accumulation hash and said second and used the accumulation hash as single information,

Wherein, using the accumulation hash said second is to accumulate under the situation of the different value of hash with said application, and said accumulation calculating section is stored said second and used the accumulation hash, and

Wherein, Said checking requested part is used the accumulation hash with said system accumulation hash and said second and is sent to said second service server, so that said one or more application of asking said second service server checking in the said information processing terminal, to be carried out.

9. the information processing terminal as claimed in claim 5, wherein, the said information processing terminal receives service from second service server that is different from said service server,

Wherein, said accumulation calculating section is carried out calculating based on the clauses and subclauses that are used for said one or more application, uses the accumulation hash to produce second; Wherein, Said one or more application comprises service client at least, and this service client receives service from said second service server

Wherein, when one of said application of each execution, said accumulation calculating section upgrades said application accumulation hash and said second and uses the accumulation hash,

Wherein, To use the accumulation hash be the value identical with said application accumulation hash and use the accumulation hash for said application accumulation hash and said second and carry out under the identical more news said second; Said accumulation calculating section upgrades that said application accumulation hash and said second is used in the accumulation hash; And the result that will upgrade copies in said application accumulation hash and the said second application accumulation hash another; Use the accumulation hash thereby upgrade said application accumulation hash and said second, and

Wherein, Said checking requested part is used the accumulation hash with said system accumulation hash and said second and is sent to said second service server, with said one or more application of asking said second service server checking in the said information processing terminal, to be carried out.

10. the information processing terminal as claimed in claim 5 wherein, is used in the Entry ID of representing said clauses and subclauses to said clauses and subclauses branch,

Wherein, said hidden parts is preserved master key, with according to through using said master key to encrypt the data that Entry ID is produced; Produce encryption key; And, utilize said encryption key to encrypt said clauses and subclauses, thereby said clauses and subclauses carried out said hiding operation.

11. the information processing terminal as claimed in claim 5, wherein, said hidden parts produces encryption key randomly, and, utilize said encryption key to encrypt said clauses and subclauses, thereby said clauses and subclauses are carried out said hiding operation, and

Wherein, said checking requested part is sent to said service server with said encryption key.

12. the information processing terminal as claimed in claim 5, wherein, said hidden parts is deleted the part or all of the content of said clauses and subclauses, said clauses and subclauses are carried out said hiding operation.

13. the information processing terminal as claimed in claim 5 also comprises:

Part is openly confirmed in daily record, and when the said hiding clauses and subclauses of said service server request open, part is openly confirmed in said daily record: (i) obtain or produce to be used to discharge the information by the state of hiding; (ii) determine whether the said service server of making request is disclosed said clauses and subclauses; And (iii) when having confirmed said disclosing, be used to discharge said to said service server transmission by the information of the state of hiding or through discharging the said said clauses and subclauses that obtained by the state of hiding.

14. the information processing terminal as claimed in claim 13; Wherein, when determining whether to disclose said clauses and subclauses, said daily record is openly confirmed partly to submit to from the said said clauses and subclauses that discharged by the state of hiding to the user; And, said user is specified whether discloses said clauses and subclauses.

15. safety equipment that are connected to the information processing terminal; Said information processing terminal storage system software and one or more application; And carry out said system software and said one or more application; Said one or more application comprises the service client that is used to the service that receives, and said safety equipment comprise:

Accumulate calculating section, it receives the order that comprises hash and accumulation hash number from the said information processing terminal, and accumulates respectively corresponding to system's accumulation hash of said system software and corresponding to the application of said one or more application and accumulate hash;

Verification portion, it uses said system accumulation hash and said application accumulation hash, the executing state of said one or more application that checking is carried out in the said information processing terminal; And

Server, it is when the checking of being carried out by said verification portion success, provide said service to said service client.

16. safety equipment as claimed in claim 15, wherein, said accumulation calculating section is sent to said verification portion through the internal interface of said safety equipment with said system accumulation hash and said application accumulation hash.

17. a method of in the information processing terminal, using is used for receiving service through using service client from service server, said method comprises:

Storage system software and one or more application, said one or more application comprise the service client (1011) that is used for the service that receives from said service server;

Storage is used for the clauses and subclauses of said system software and said one or more application;

Clauses and subclauses from be stored in the log store part are extracted corresponding clauses and subclauses to constitute daily record;

Require and require daily record in response to the checking of said service client, and receive said daily record; And

Accumulate respectively corresponding to system's accumulation hash of said system software and corresponding to the application of said one or more application and accumulate hash, wherein

Will be from being sent to said service server, with said one or more application of asking said service server checking in the said information processing terminal, to be carried out with said system software and said one or more daily record of using corresponding clauses and subclauses and said system accumulation hash and the generation of said application accumulation hash.

Images